What to do (if affected): Rotate secrets contained within .env.production. Everyone's setup is a bit different so you have to judge for yourself, but especially look out for

SMTP_PASSWORD,

AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY,

VAPID_PRIVATE_KEY/VAPID_PUBLIC_KEY,

DB_PASS,

SECRET_KEY_BASE and OTP_SECRET
(if you still have PAPERCLIP_SECRET in there, you can just remove it, the code doesn't use it anymore)

If your database server is configured correctly, with a firewall not allowing outside connections, and pg_hba.conf also not allowing outside connections (that is the default), or if you are using docker-compose, which holds the database in an internal network inaccessible from the outside (that is the default), then your database is safe.

If you were performing assets:precompile on machine without .env.production, then you are not affected by this vulnerability at all, though updating is still advisable.

Special notes on secret rotation:

Changing the vapid keypair will break existing Web Push API subscriptions (that is, push notifications from the web UI), but this is not a big deal, the web UI can just re-subscribe

Changing SECRET_KEY_BASE will log everyone out so they'll have to relogin

Changing OTP_SECRET will break 2FA authentication, you need to perform an extra step to disable 2FA for everyone so they can re-enable it with the new secret later. From RAILS_ENV=production bundle exec rails console (or docker-compose equivalent), run: User.update_all(otp_required_for_login: false, encrypted_otp_secret: nil)

Other notes: The vulnerabilty was discovered yesterday (5/14) at 5:30pm (CEST). A patch was merged into master at 5:45pm. At 7:55pm I have gotten in touch with admins of instances I suspected could be affected.